President Barack Obama, flanked by Vice President Joe Biden and House Speaker John Boehner of Ohio, gestures during the State of the Union address before a joint session of Congress on Capitol Hill in Washington, Tuesday Feb. 12, 2013. AFP PHOTO / Pool / Charles DharapakCHARLES DHARAPAK/AFP/Getty Images

The National Cybersecurity and Communications Integration Center in Arlington, Va., monitors online communications for the Homeland Security Department.

The National Cybersecurity and Communications Integration Center in Arlington, Va., monitors online communications for the Homeland Security Department.

Photo: Drew Angerer, New York Times

Image 3 of 3

Cybersecurity debate focuses on sharing

1 / 3

Back to Gallery

Protecting computing systems and information that govern not just sites like Facebook and Google, but the nation's infrastructure, was a pervasive, contentious topic last week. Businesses and privacy groups debating the issue showed that legislating to address an ever-changing digital universe will continue to prove difficult.

There are three general areas that companies, activists and regulators agree need some sort of overhaul: standards for managing that data; government sharing security data with the private sector; and whether businesses should share data among themselves and with the government for security purposes - and if so, how.

Both business and advocacy groups believe that tackling the first two issues is critical for defense from cybercrimes, and largely see eye to eye on how regulation of those areas was changed last week by the executive order President Obama announced during his State of the Union address.

Business Channel

Nike to Investigate Workplace Behavior, Announces President will ResignWibbitz

You Can Only Make Reservations at This Restaurant By Sending a Post CardBuzz 60

An Emirates Flight Attendant Dies After Falling Off PlaneBuzz 60

How has digitalisation transformed travel marketing?Euronews

Passengers Travelling With Small Child Taken Off Southwest Flight From Chicago to AtlantaStoryful

'3 Kings' of hip-hopFox5

ESports Continues To Intrigue InvestorsWochit

Is This the End of Candy Hearts? America's 'Oldest' Candy Company Could CloseVeuer

See IBM’s New Computer That Is Smaller Than A Grain Of SaltBuzz 60

Cats Ride Robotic Stuffed CrabJukin Media

Support for order

The president's order grants the right of executive branch agencies to share cybersecurity data with businesses and defense contractors, and instructs the National Institute of Standards and Technology to create voluntary and publicly available standards for communicating and managing that information. The measure drew support from both business leaders and watchdog groups.

Ann Beauchesne, vice president of the U.S. Chamber of Commerce's National Security & Emergency Preparedness Department, praised the Obama administration for discussing the issue with the business community before issuing the order. "It could give various stakeholders (businesses) the opportunity to judge what works and what doesn't work regarding the proposed cybersecurity program," she said.

Leslie Harris, president of the Center for Democracy & Technology, an advocacy group for individuals' rights online, concurs. One of the best measures to bolster cybersecurity, she said, is for the government to share cyber-threats and expertise with private industry, rather than for it to monitor private networks.

"It is better for security and privacy to have private entities protect their own systems and networks," she said. "Better sharing of what the government knows will enhance that effort."

Congressional action

But the president's executive order creates a one-way street for the flow of data - from the government to the private sector. It stops short of endorsing a more controversial measure among activist groups: businesses sharing personal information with the government or other businesses. Such a move would require congressional action, likely an update to the Electronic Communications Privacy Act, a 1986 measure seen now as outdated.

The act would not only grant companies the right to share data with each other, but also allow sharing with the government, including the Department of Homeland Security or the National Security Agency. The law would also protect businesses against lawsuits when sharing data.

Those provisions, coupled with murky language on just how that sharing would be monitored, concerns groups like the Center for Democracy & Technology, the ACLU and the Electronic Frontier Foundation.

Supporters of the bill note that it is designed to secure our nation's infrastructure. Power plants, cell phone towers and water treatment centers are woefully out of date when it comes to defending against cyber-threats like the theft of digital records or installing harmful computer viruses into important systems, the argument goes. But many worry that measures like the intelligence-sharing act create a slippery slope toward infringing on everyday citizens' personal freedoms.

Lee Tien, an attorney at the Electronic Frontier Foundation, says that the problem with the act is that it does away with limits on sharing of personal information.

"You can imagine why it'd be good," he says, allowing, for example, a company like Comcast, if it noticed strange network activity for a group of users, to alert Amazon or some other business about the problem. Businesses would have more leeway to look at, share and make decisions on personal data. "That's a big opening that doesn't exist right now," Tien acknowledged.

But that sharing, Tien and others say, would be largely unregulated - and that's the problem. It shouldn't happen without transparency and oversight.

The Chamber of Commerce's Beauchesne, though, favors less government involvement, arguing that businesses prefer to secure their information via partnerships with one another and the government - not by regulation.

Paul Smocer, president of BITS, an advocacy group for financial services companies, testified before a House committee in support of the intelligence-sharing act. "Increasing information sharing is essential for institutions to respond efficiently to the ever-evolving threat environment, and plays a critical role in improving our nation's cyber defenses," he said.

Internet companies

The measure has also garnered support from Internet companies themselves. Joel Kaplan, Facebook's vice president for U.S. public policy, notes that the act wouldn't obligate the company to share any data and that there are safeguards to protect private user information.

But Kaplan acknowledges the warnings of advocacy groups, saying Facebook has no intention of sharing sensitive personal information with the government in the name of cybersecurity, and such action is unrelated to what Facebook liked about the proposed law in the first place: the additional information it would provide about specific cyber-threats to its systems and users.

Tien also points out that under the act, information carriers could share data with highly secretive intelligence agencies like the National Security Agency, making them a proxy for spying.

Sites like Facebook or Gmail track the habits of their users, both lawful and otherwise, collecting pictures, geo-coordinates, interests and private thoughts and discussions. By crunching that data, government investigators can create a fairly complete picture of a person's life.

That fear was brought home last week when the Guardian newspaper released a 2010 video it obtained demonstrating tracking software created by defense contractor Raytheon.

The video featured the Massachusetts company's principal investigator, Brian Urch, showing how he tracked a man based on places he had used his smartphone.

"If you ever wanted to get a hold of his laptop," Urch says with astonishing casualness at one point, "you might want to visit the gym at 6 a.m. on Monday."